Security researchers at Radware have identified a new information stealer called Stresspaint that appears to be looking for Facebook details it gathers from Chrome login dataon infected machines, along with session cookies.
In a recently issued alert, Radware has dubbed the new Trojan “Stresspaint”, named after the free Windows application it hides inside, which is called “Relieve Stress Paint” and is distributed via aol.net. The domain uses Unicode characters, which spell out xn--80a2a18a.net instead of the real aol.net, when converted to Punycode.
The researchers believe that criminals are using Facebook and email spam messages to send users to the misleading website. Once they arrive at the site, users are invited to download a drawing tool, which while legitimate, also runs other files in the background, including Temp\\DX.exe – the primary Stresspaint module that remains persistent on the system, and Temp\\updata.dll – potentially used later to steal credentials and/or cookies. After the files run, the malware sets a Windows registry key to gain boot persistence and run Stresspaint’s DX.exe file every time the PC boots. The Radware team say the value of this registry key is DX.exe [parameter].
“We have seen two different parameters which may indicate two different infection campaigns that the author wants to track,” the Radware team says. “This is also represented in the [Stresspaing] control panel.”
Stresspaint additionally creates another registry key, which holds each infected victim’s GUID in the form of “[5 random letters/numbers]HHMMSSYYYYMMDD”.
Next, the malware makes copies of Chrome’s login data and cookies database, and stores the results, allowing it to run all the queries and operations needed for it to extract login credentials and cookie files stored in the user’s Chrome browser.
Finally, Stresspaint takes the stored login data and session cookies, encrypts it, and sends it to a remove C&C panel, accompanied by the user’s GUID.
The researchers at Radware followed the data to a control panel available in the Chinese language, which has specific sections for displaying Facebook data, and another for Amazon credentials. The latter section is currently empty, suggesting attackers are focused on the Facebook credentials first and will aim to extract the Amazon login details second.
Radware said that the criminals are actively working on validating the Facebook credentials and session cookies, and are logging into accounts so that they can then collect additional data such as the user’s number of friends, whether they manage a Facebook page or not, and if the account has saved a payment method or not.
The researchers identified over 35,000 infected users, mainly based in Vietnam, Russia and Pakistan. Stresspaint initially flew under the radar of some security software as a result of its use of Chrome’s login and cookies database.
Radware has asked the domain registrar where the malicious domain is registered to take it down and has notified Facebook about the malware’s credentials harvesting activities.